Will Drewry of the Google Security Team reported a problem in regular expressions code use by PostreSQL which results in a non-terminating infinite loop during nondeterministic finite automata optimization. These loops remain even after the client disconnects and can be used to hog CPU and connections to the database until a full-fledged denial of service condition occurs.
Note that these same looping behaviors have been reproduced in Tcl. Not sure if that should get its own CVE or not.
If it's same code used in multiple products / projects (usually taken from one project to another), single CVE id is usually used.
Public now, lifting embargo: http://www.postgresql.org/about/news.905 http://www.postgresql.org/support/security.html
TCL fixed in 8.5.0, patch: http://tcl.cvs.sourceforge.net/tcl/tcl/generic/regc_nfa.c?r1=1.9&r2=1.10
postgresql-8.2.6-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
postgresql-8.2.6-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Application Stack: http://rhn.redhat.com/errata/RHSA-2008-0040.html Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0038.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0552 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0478
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0122 https://rhn.redhat.com/errata/RHSA-2013-0122.html